Efforts to phase out passwords gained a burst of momentum this week as Google rolled out passkeys, a secure and frictionless form of password-free login credentials. This enables billions of users to log into their Google Account on all major platforms. And yes, this includes Google Sign-in, the most popular social login with 54% market share. It’s everywhere. Users can even use passkeys to secure their password vault in Google Password Manager.
Passkeys were released in 2022, but they have not yet been widely adopted. However, Google’s move holds the potential for sweeping change. With passkeys, users simply log in with a fingerprint or facial biometric. In one simple action, users present two factors: a biometric and a private key on their device. Passkeys leverage FIDO standards, which are founded in strong cryptographic methods.
Previously, you could use passkeys with a Google account, but it still required a password. Now using passkeys, Google completely replaces passwords — the greatest risk and source of friction is gone. In this blog we’ll explain why that’s a game changer and what Google passkeys rollout means for your business. But it’s not picture perfect; when we solve one problem more problems arise. As such, we’ll also cover a few weaknesses of passkeys and how to secure them.
First, we all know passwords are phishable, stuffable and guessable — the root cause of 81% of all security breaches. When passwords are stolen, leaked or purchased, bad actors use credential stuffing to take over other accounts. And it’s easy given that 84% of consumers reuse the same or similar passwords for many accounts. All threats that target or use passwords are highly successful and are only getting worse as bots automate attacks.
At the same time, passwords create a terrible customer experience. They’re hard to remember and too often lead to lockouts, sending the user through a friction-filled reset process or leading them to drop off entirely. That’s lost business! And because passwords are weak, we strengthen them by adding one-time passcodes, email magic links or knowledge-based questions. All of these methods further degrade the customer experience, impacting your bottom line.
Passkey-based credentials are secured by public-private key cryptography, proven to prevent credential stuffing, phishing and a growing number of attacks aimed at OTPs. In terms of improving UX, passkeys remove the need to remember passwords, switch contexts or have additional devices on hand to complete two-factor authentication with an OTP or magic link.
As an extension of FIDO passwordless authentication, passkeys can be used across multiple devices, solving a limitation of FIDO, otherwise bound to a single device. It’s why Apple, Google and Microsoft saw the urgency to use passkeys. They add multi-device support by syncing encrypted biometric credentials to other passkey-supported devices in the cloud.
The strategy for Google is to enable passwordless authentication for their user base by leveraging industry standards. It’s a clear message that strong passwordless MFA should now be a priority for any organization, regardless of whether the user base is B2E, B2B or B2C.
To create a passkey for your personal Google account, visit http://g.co/passkeys to set one up. Upon clicking the link, Google will prompt you to create a passkey by first authenticating with your existing sign-in method. After authenticating, you can enroll using a face scan, fingerprint or PIN on your device, which is only stored locally, not shared with Google or third parties.
Once a passkey is created, Google will prompt you to sign in with your passkey on future attempts across the Google ecosystem, sidestepping the need to enter passwords or complete two-step verification. And Google passkeys not only work on Chrome: users can enroll in passkeys on other browsers like Safari as well, although users will need to create a separate passkey for use in another vendor’s ecosystem.
So far, passwordless has been predominantly the purview of workforce authentication, but Google’s announcement extends the convenience and security of passkeys to customer authentication. This sends a resounding message across the industry, a call to embrace identity-first security principles.
In tests so far, Google has stated that login success rates were higher for users who sign in with passkeys as compared to passwords, as reported in Wired. This is no surprise to us at Transmit Security, having led millions of customers through the passwordless journey, including the world’s largest passwordless implementation with Citigroup. As leaders in FIDO-based passwordless authentication, our case studies have shown that given the option, a majority of end users choose to enroll in passwordless and those who do demonstrate increased user engagement with applications.
As passkeys adoption increases and potentially becomes the new normal for identity and authentication, fraudsters will try to find and exploit vulnerabilities in this new technology. Typical FIDO scenarios never transfer private keys over the web, but as we know, passkeys are shared across multiple devices via the cloud or Bluetooth. These methods of transferring credentials, albeit encrypted, may present opportunities for hackers. History tells us they will certainly try.
We have already seen this today with basic MFA. Attackers have exploited the notion of popular MFA techniques (i.e. SMS and or out-of-band authentication) by constantly notifying users, invoking what’s called “MFA fatigue.” With more organizations embracing MFA, more bad actors are employing MFA fatigue tactics to compromise these so-called secured accounts.
Similarly, it should be expected that passkeys — despite providing great CX and security benefits — will be subject to evolving threats and additional measures will be needed to harden passkeys security against these threats. Some of the key vulnerabilities to address include:
As organizations aim to improve overall security with identity-first security principles, MFA has become a standard practice. Unfortunately, basic MFA will no longer suffice. Security and identity leaders must move to non-phishable credentials, based on strong cryptographic standards such as FIDO and passkeys.
Businesses will need to accelerate their support for passkeys, ensure a consistent user experience across environments (including edge cases) and fortify the security of passkeys in applications and websites that are frequently targeted for fraud, such as financial applications and e-commerce using additional security and risk detection methods to strengthen the benefits of passkeys and overcome their limitations.
Transmit Security Authentication Services helps businesses meet each of these challenges, ensuring a fast, secure and successful rollout of passkeys support:
While passkeys provide users with stronger login credentials, they do not provide the ability to dynamically assess trust throughout the user lifecycle, and registering passkeys ultimately requires users to enroll and authenticate with the same legacy methods that are increasingly compromised by bad actors.
By natively integrating passkeys with a complete and modular set of identity services, including Detection and Response Services for risk, trust, fraud, bots and behavior, Transmit Security enables continuous adaptive trust that takes into account the full context of user behavior. This best-in-class risk engine, as well as natively integrated Identity Verification Service, can also be leveraged to ensure that the right user is enrolling in passkeys, preventing fraud during registration.
The time for businesses to implement passkeys is now. As customers grow more familiar with passkeys and adoption increases, customer demand for passkeys support will grow, further diminishing conversions for accounts protected by legacy authentication methods. To learn more about how you can quickly and securely implement passkeys, check out our Authentication Services or contact sales to set up a personalized demo today.